Singapore to Open Cybersecurity Agency

As the Singapore government firms up its plan to set up a new agency to work closely with private-sector bodies in driving strategic cybersecurity initiatives, security experts question whether the agency can take a holistic approach and effectively coordinate with industry.

The Prime Minister's Office says CSA will start operations on April 1, with the objective of consolidating and centralizing overseeing of cybersecurity functions.

Government sources say Yaacob Ibrahim, minister for communications and Information, will be minister-in-charge of cybersecurity. The agency will work closely with the private sector to get involved in strategy and policy development matters, as well as build capacity of skilled InfoSec professionals.

The CSA, which will come under the purview of the prime minister's office, will replace the functions of the Singapore Infocomm Technology Security Authority and take over some roles currently undertaken by the Infocomm Development Authority and Singapore Emergency Response Team.

"There is a need to grow Singapore's pool of InfoSec experts and build their capabilities to defend network infrastructure from cyberthreats," Ibrahim says.

Ibrahim also says the city-state is upgrading its Cyber-Watch Centre, which would track malicious activities and respond swiftly to security breaches.

CSA will also work with Singapore's institutes of higher learning to include InfoSec courses and degree programmes in the curriculum, besides working with industry partners to attract and retain skilled professionals.

Experts on CSA's Mission

Robert Sin Hock Poh, director of Singapore Programme at Financial Services Information Sharing and Analysis Center (Asia), feels the government is moving in the right direction.

"Earlier, there was not much co-ordination from the IDA with the private and public enterprises on the cybersecurity front, since it was seen as a broad phenomenon," Poh says. "But I'd expect CSA to work closely and be a good one-point contact on dealing with cybersecurity issues,"

Some issues Poh expects CSA to deal with are: making the cybersecurity policy that IDA came up with operational; giving impetus to the cyber intelligence framework of the country; building sufficient cyber skills; and building capacity within the state to fight growing cybercrime.

Against this backdrop, he says, "CSA's role would be justified in striking the right chord between public and private sectors so they make efforts to protect national infrastructure, particularly in the energy, banking, power, transport and telecommunications sectors."

John Lim, president of ISACA in Singapore, points out that CSA's key mission should harness the combined resources existing in the industry, whether talent pool, security solutions, or technologies, in tackling emerging cyber-threats.

"CSA should take a holistic view and align with various parties in developing emergency response teams," says Lim.

Experts assume that CSA will rope in existing agencies under the ministry of home affairs and IDA in implementing the cybersecurity master plan to build relevant systems to monitor and respond to threats.

Beefing up Security

One challenge the government faces is lack of appropriately trained, qualified and certified cybersecurity professionals.

Lim emphasizes that a strategy for IT security capabilities must be in place for any organization seeking to improve its cybersecurity posture.

"CSA should consider how to increase knowledge and professionalism among cybersecurity professionals, and continuous education and awareness in harnessing new technologies," argues Lim.

The key issue, says CyberArk's Dinnar, is that though organizations have made investments in information security, they have primarily been reflective of compliance mandates. Today, there's a pressing need for dynamic security practices to help protect, detect, monitor and respond to potential threats.

"Many organizations are still using perimeter-based security strategies," he says. "A determined attacker will bypass the perimeter with ease."

He recalls a statement made by former United States FBI Director, Robert Mueller, in 2012: "There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again."

"Attackers are already inside the network, so organizations need to look at deploying defences that focus on preventing an attacker from moving around behind the perimeter, on the inside; for this, CSA must take up some educational program for citizens and enterprises," points out Dinnar.

However, Poh says that while the government has effective security measures and policies in place, the most desired action is to get the right message across to enterprises.

"Information sharing and finding a method to educate and create awareness among security practitioners across the private and public enterprises is vital in preventing cyberattacks or creating a cyber-secure eco-system," Poh says.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;